Permanently attacks from the mailservers own public IP

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-06 12:34

Hi guys,
after a longer time again greetings from Germany and a question:
Since some days I realized permanent attacks probably from hackers who ty to hack mail-accounts.
I have Auto-ban enabled and after 3 failed login-tries the IP of the user should be banned.
The starnge thing is that there is always the own public IP address of the server is banned.
For example: My emailserver has the public IP-address of: 111.222.333.444 there are always auto-ban entries like:

Auto-ban user 111.222.333.444 111.222.333.444 20 Time when the entry expires
Auto-ban admin 111.222.333.444 111.222.333.444 20 Time when the entry expires
etc.

How is it possible that the IP of the mailserver itself is banned?
First I thought it is beause of the Webmail-application (squirelmail) which is running on the mailserver, but I got the same entried after disabling the Webmail.

Someone has an idea?
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
mattg
Moderator
Moderator
Posts: 21115
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Permanently attacks from the mailservers own public IP

Post by mattg » 2013-04-06 16:19

It will either be a webmail user, or a terminal service user, or a local user elsewhere in the LAN, or perhaps you have a mail bot somewhere in your LAN

You should have an IP range set for these anyway with a priority higher than 20 (say 25), so that autoban doesn't apply

Please list all current IP ranges (including the autoban ones) and the priority of each
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-06 19:45

Hello Mattg,
thanx for the reply and the first suggestions.
But I fear nothing of your ideas is matching the problem exactly.

But let me answer step by step:
A webmail-user cannot be the reason, because all these still happens after disabling the completely webmail-system at all.
A terminal-service-user as the reason is also extremely unlikely, because there is just one and that is me.
Also to think about a user in the LAN (including a mailbot in the LAN) is quite unlikely because if than the public IP of the router in the LAN would be shown as the lower(upper IP in the IP-ranges and not the IP of the mailserver itself.

I have already set an IP range for the public IP of the Mailserver itself with a priority of 60 so that the attacks cannot knoc out the mailserver completely. But that doesn't fix the problem, because the hacker can continue with the attack.

What I did not understand completely is when the IP is blocked: only if someone tries to login to the pop- and/or mailserver or also if he try to authenticate to the smtp-server.
I disabled pop and imap from the IP of the mailserver but the attacks continue.

What I forgot to mention is that I have ASSP running in front of the hmailserver at the same machine.

Here is an overview of the IP-ranges as you asked me. I hided the completely IP-adresses. If you need more informations, we should change it by pm.
Attachments
Mailserver_IP-Ranges.jpg
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-06 20:46

normally if you use assp the ip in hmail will be a private lan IP not your wan internet IP. What do your hmail logs show for normal incoming mail? The same IP as the autobans? If so then there's your answer you need to autoban in ASSP instead of hmail. You will likely need to block AUTH in assp & add new ip range for ASSP & set it to external to local only (as in only public incoming is allowed on port 25 thru assp) and have users use different port & be required to auth.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-06 20:50

btw to be clear do not change ip ranges unless you completely understand what you are doing. please ask questions if you are unsure.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-06 21:08

Hello Bill,
thanx for the answer and th help.
No, I set the public IP of the mailserver in assp and hmailserver, so the incoming emails are forwarded from the public IP port 25 to the public IP pot 2525.
So the logs in hmail show the public IP for incoming mails - and this is the same IP as shown in the auto-bans.

Your suggestion to auto-ban in assp seems to be the right idea - I also thought about that.
But how I can use auto-ban in assp and/or how to block AUTH in assp?
Maybe you can explain the exact setting which I should have to set in assp?

A new IP-range for ASSP? What do you mean with that? Assp has the same IP as hmailserver and I already set that IP-range (in my screenshot called "Mailserver"). But through that IP are going incoming and outgoing emails. So if I would rstrict this IP to external to local only what would be with local to local emails for example?
External to external emails are still forbidden.

By the way: I stopped Assp about 1,5 hous ago and set the port for SMTP n hmailserver back to 25 because I hoped to see more (the real external IPs where the attacks come from), but since this time no attack happened again. Hmmm....
Maybe tha flood of attacks from a special hacker is over for a moment, but I really need a solution for the future.

Do you know in which reasons the Auto-ban-feature works? Is it just if someone tries to logon at the pop- or imap-server or also if somoene have wrong access data for authentication at smtp?
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-07 00:34

Because assp is a proxy the sender's IP is not known by hmailserver. So just like how you need special circumstances for webmail you need special for assp too. None of hmail's IP-based tests are useful in hmail with assp in front of hmail. Guess that was my point earlier. You need to rely on ASSP's auto banning not hmail's. There are quite a few ASSP settings you should look at. For example SMTP Session Limits. Max errors is a good one. Max sessions should be like 80% of hmail's max SMTP to leave room for your users. Max sessions per IP should be something reasonable. Max Number of AUTHentication Errors is one to look at. (Note mine is set to 999 which is special case for my mod'd assp. normally you would not want 999) Also idle timeout.

I couldn't find way in ASSP to turn AUTH off completely so I edited ASSP perl file but partial protection can be done in hmail script too:

Code: Select all

'Block AUTH'd from ASSP IP
If (oClient.IPAddress = "192.168.3.3" And oClient.Port = "25" And oClient.Username <> "") Then
  Result.Message = "AUTH FAILED. You must be authenticated to send."
  Result.Value = 2
  EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
End If
You'd need hmail 5.4 to put in OnSMTPData and change 192.168.3.3 to your ASSP IP that hmail sees. What the script does is if a connection comes in from that IP on port 25 & successfully logs in (bad news if a spammer cuz they already hacked you at that point) but at least they can't abuse you using a cracked password because any message they try will be rejected with same error that makes it look like they failed & hopefully they go away feeling defeated. ;)

Nor sure what version of assp you are on but you can search assp.pl for

Code: Select all

if ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors) {
IF you find it you could replace it with

Code: Select all

if ($MaxAUTHErrors >= 999 || ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors)) {
What that does is if MaxAUTHErrors is set to 999 or higher (a special trigger setting) it FORCES ASSP to reject any AUTH attempt. If you set MaxAUTHErrors <999 then it acts the original way, only rejecting if an IP has more than max. So you could set max to 1 and hope they don't get lucky :D

Btw my original hack was:

Code: Select all

if ($MaxAUTHErrors) {
Which worked by if Max was set to anything all AUTH attempts would be rejected but I found my 2nd attempt (the >=999 method) to be more elegant yet still effective.

Btw understand with all this stuff I am assuming you have no users who send email on port 25 from your public IP or thru ASSP. For users they need to send on alternate port.

And yes hmail's autobans are for any login attemps be it POP/IMAP/SMTP.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-07 02:29

Hello Bill,

again thanx for your answer and your help.

First to answer your questions: I'm using hmailserver 5.3.3 - Build 1879 and ASSP 1.98.
Should I update to hmailserver 5.4 in a production environment?

Before I use your suggestions I try to understand all what you wanted to tell me.
Thats why first to your sentence:
Btw understand with all this stuff I am assuming you have no users who send email on port 25 from your public IP or thru ASSP. For users they need to send on alternate port.
In my case ASSP is using port 25 and hmailserver is using port 2525.
I think that at the moment all of the users are sending through port 25 (which means directly through ASSP). If I understand you right you would recommend to send through port 2525 of hmailserver? If yes how can I use the email-interface of ASSP (for example to send spam- and notspam-examples to ASSP)?
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-07 07:53

Many of us have been on 5.4 since early alphas & 5.3.x have known issues so 5.4 is considered more stable even if no official 'gold' release has been made. Granted B1944 & B1946 have a known issue with forwarding certain types of messages that was just discovered, I've fixed the problem & plan to post a release for those who don't want to roll back to B1942 which didn't have the issue. It's a matter of choice. Using a closed source version with known issues & not likely ever any further updates or an open source one that is actively (although slow to release) one that many of us have been using on busy production servers for over 2 years now with no to minor issues.

I was referring to your users sending direct to hmail & not thru assp, where assp is just for incoming mail. For your users to send thru assp or use the email interface you'd need to make adjustments.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-07 10:41

Hello Bill,
I upgraded to version 5.4 - b1946 yesterday - so could you tell me please where I can download the version in which the forwarding issues are fixed?

Which adjustments I should do so that the users can send mails using port 25 of ASSP but nevertheless I could use your suggestion for ASSP to reduce the attacks?
Or is there a possibility to forwad emails for special (asssp-) local users from hmailserver to ASSP?

Maybe the whole settings and your global solution could be intersting for other users too who are using ASSP in front of hmailserver.
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-07 16:22

gruenie wrote:Hello Bill,
I upgraded to version 5.4 - b1946 yesterday - so could you tell me please where I can download the version in which the forwarding issues are fixed?

Which adjustments I should do so that the users can send mails using port 25 of ASSP but nevertheless I could use your suggestion for ASSP to reduce the attacks?
Or is there a possibility to forwad emails for special (asssp-) local users from hmailserver to ASSP?

Maybe the whole settings and your global solution could be intersting for other users too who are using ASSP in front of hmailserver.
You either want B1942 from here:
http://www.hmailserver.com/index.php?pa ... ad_archive
Or you could one one my experimentals that are B1942 or earlier:
http://www.hmailserver.com/forum/viewto ... 10&t=21420

If you don't do any forwarding in hmail (aliases, forwards, rules, scripts) then the bug wouldn't matter to you.

As far as your ASSP, it'd depend on how you use it. It'd depend mostly on where/how your users send email as it might require reconfiguring all of your clients.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-07 17:30

Hello Bill,
thanx again for your answer.
If you don't do any forwarding in hmail (aliases, forwards, rules, scripts) then the bug wouldn't matter to you.
Of course I have many aliases, forwards and ruls in my hmailserver-installation.
If I understood you right, the forwarding-bugs are fixed in your last build from March 18?!
Is it right?
So I upgraded the files to your last build.

Well, now I have hmailserver 5.4 up and running but that does not fix my attack-problem as explained yesterday.
If it is not too much for you, maybe you can advice me again what exactly I have to change now if I want to use ASSP:25 also for sending emils.
Alternatively you could tell me if and how it is possible to forward local messages ment for the email-Interface of ASSP (for example assp-spam@mydomain.de) from hamailserver:2525 to ASSP:25. Then I could use hmailserver for sending all mails.
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-07 18:05

No I have not posted a new experimental with the forwarding fix in place.. You either need to roll back to B1942 or use one of my older builds that's before Jan 2013. (I note what base build I'm on with experimentals so any that are B1944-B1946 have the bug.) As I said I hope to post a new experimental today but have been tied up with family stuff.

The simplest route is to tell your senders to use another port that points direct to hmail instead of going thru assp & modify your assp to not allow AUTH as I posted earlier. You lose your email reporting but that is quick easy fix. To get email reporting back with that setup you'd need to get ASSP to accept the messages with IP-based bypass. You can't use AUTH-based because then spammer still has access.. But if your users are on fixed IP's (private lan range or your own public ip maybe) then it could be done. Understand that to stop spammers from doing dictionary attacks you can't let them try to login in 1st place or at least have autobanning to slow them down. So it's up to you to decide balance of security wth functionality.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-07 19:47

Hello Bill,

I downgraded my hmailserver to version 5.4-b1942.

Of course the security is much more important then functionality of ASSP.
But the sense of ASSP is to avoid as much spam as possible.
And so the email-interface in my view is an important feature to enable users to put senders to their own black- or whitelist for example simply by forwarding emails to ASSP.

Maybe I'm completely wrong - then please excuse me, but I thought that the problem of forwarding mails to the email-interface of ASSP is in hmailserver and not in ASSP if I will send all emails through hamailserver.
For example: my in hmailserver hosted domain is: mydomain.de. There I have alot of accounts. But if I want to forward mails (spam or notspam) to ASSP then I have to send them f.e. to "assp-spam@mydomain.de" which is hosted in ASSP. If I send all my emails through port 2525 of hmailserver for example then this account "assp-spam@mydomain.de" is unknown in hmailserver and the mail will not be delivered.
Thats why I asked if there is a possibility to tell hmailserver to forward these emails to ASSP instead to block them.
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-08 00:09

There are a few ways to setup assp in terms of the flow of email including depending on if your users use email interface or not. Mine do not. Normally if you want email interface your users send email thru assp & assp catches the control emails by the special address. Since assp is a proxy all the mail goes thru it & there is no message fowarding involved. If you setup your users to send direct to hmail on alternate port then you'd need a sub-domain & route to tell hmail to forward those messages to assp & assp would need to be set to trust your hmail IP. If I recall there is a way for assp to grab messages via POP or folder too but again I don't use that feature as I've never had a need for it as all of our end-user or domain-level customizations are done in SA or hmail & not assp.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-08 21:30

Hello Bill,
I created a subdomain (let me say "assp.mydomain.de"), added this domain as local in ASSP and added a route to hmailserver to forward all messages to this subdomain to ASSP.
It seems to work. So all the users can use the email-interface of ASSP if they want to.
In addition I added SSL-suport to hmailserver and will advice all users to send emails throuh port 465 of hmailserver.
So I think all is done as you told me.

Now I need to do the changes to avoid future attacks.

First you adviced me to change settings in hmailserver:
I couldn't find way in ASSP to turn AUTH off completely so I edited ASSP perl file but partial protection can be done in hmail script too:

Code: Select all

'Block AUTH'd from ASSP IP
If (oClient.IPAddress = "192.168.3.3" And oClient.Port = "25" And oClient.Username <> "") Then
  Result.Message = "AUTH FAILED. You must be authenticated to send."
  Result.Value = 2
  EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
End If
You'd need hmail 5.4 to put in OnSMTPData and change 192.168.3.3 to your ASSP IP that hmail sees.
... but I have no idea where to add this code. Maybe you can explain.

Second you told me to edit the assp.pl:
But I have no idea where exactly I should do your changes.
There are two places in the assp.pl which start with "if ($MaxAUTHErrors ", but there is no place which matches exactly your lines.
On place could be:

Code: Select all

elsif($l=~/^(\s*AUTH([^\r\n]*))\r?\n/io) {
        my $ffr = $1;
        my $authmeth = $2;

        my $ip = &ipNetwork( $this->{ip}, 1);
        if ($MaxAUTHErrors 
    	&& !$this->{relayok}
    	&& !$this->{nopb}
 
        && !$this->{ispip}
        && !$this->{noprocessing}
        && !$this->{whitelisted}
		&& !$this->{acceptall} 
        && $AUTHErrors{$ip} > $MaxAUTHErrors) {
...

Maybe you could send me the edited assp.pl if you have i for the latest version 1,98?
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-08 22:37

Hi. OK cool sounds like you're set with the subdomain & relaying of that. Glad you got that sorted.

That "Block AUTH'd from ASSP IP" script goes in your hmailserver events file. You can enable & edit it under scripting in hmail admin gui or edit the hmailserver/Events/EventHandlers.vbs directly but you need to reload the script in admin or restart hmail for changes to take effect. Always best to do in admin & do the 'test' option before activating though. Ideally you should be on 5.4 then you'd put it in a new OnSMTPData section like:

Code: Select all

   Sub OnSMTPData(oClient, oMessage)
     'Block AUTH'd from ASSP IP
     If (oClient.IPAddress = "192.168.3.3" And oClient.Port = "25" And oClient.Username <> "") Then
       Result.Message = "AUTH FAILED. You must be authenticated to send."
       Result.Value = 2
       EventLog.Write("ASSP AUTH attempt rejected:"+Chr(34)+vbTab+oClient.IPAddress+vbTab+Chr(34)+oClient.Username)
     End If
   End Sub
Not you'd need to change oClient.IPAddress to match whatever IP hmail shows when ASSP connects. Odds are you'd leave it port 25 unless assp connects to a different port when proxying the incoming public email. The whole idea is you are limiting the test to ASSP & that can only be done with IP & port that are unique to that public email thru assp & not your users etc. The reason is that script will stop all mail from that IP & port if the sender AUTH's. Obviously that'd be bad for your users and public incoming should never auth so if done right it should be a good thing.

Yeah sorry in terms of the ASSP suggestion I had no idea what version of ASSP you were on, I was just showing you an example based on 2.x of ASSP. Looks like 1.98 is no longer available for download (at least not obvious) but based on 1.9.9 it seems there are some differences to contend with to edit it. Based on 1.99:

In 1.99 the next I found was at 12428:

Code: Select all

        if ($MaxAUTHErrors 
    	&& !$this->{relayok}
    	&& !$this->{nopb}
 
        && !$this->{ispip}
        && !$this->{noprocessing}
        && !$this->{whitelisted}
		&& !$this->{acceptall} 
        && $AUTHErrors{$ip} > $MaxAUTHErrors) {
becomes:

Code: Select all

        if ($MaxAUTHErrors 
    	&& !$this->{relayok}
    	&& !$this->{nopb}
 
        && !$this->{ispip}
        && !$this->{noprocessing}
        && !$this->{whitelisted}
		&& !$this->{acceptall} 
        && ($AUTHErrors{$ip} > $MaxAUTHErrors || $MaxAUTHErrors >= 999)) {
Which will block AUTH login IF errors for that IP are greater than max OR if max setting is greater than 999 IF the sender is not pre-defined as a relayer, no penalty box, is not isp, is not in no processing, is not whitelisted and if not set on acceptall list. IOW setting your max auth errors to special 999 will block auth by all but senders you add ot one of the many bypass lists mentioned. YOu'll want to add your server IP for example.



Now at 17685 there is sub AUTHErrorsOK { which might need to be edited.

Code: Select all

    return 1 if $AUTHErrors{$ip}++ <= $MaxAUTHErrors;
becomes

Code: Select all

    return 1 if ($MaxAUTHErrors < 999 && ($AUTHErrors{$ip}++ <= $MaxAUTHErrors));
Which you notice <999 vs >=999 like the others. That is because the test is opposite so the new code means IF current auth error count +1 is less than max OR if max is <999 (not the special trip wire setting) then return "OK" otherwise it'll drop to next line & reject. Note all the return 1 lines above which allow the auth under all those conditions (IOW the sender is on an OK list to bypass the block)

Understand the above is UNTESTED but I've done my best to suggest what I think should work. You should keep backups of your original files and do some IMMEDIATE testing after making changes that way you can roll back if needed & minimize risk of lost/rejected emails.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

tko2003
New user
New user
Posts: 6
Joined: 2010-03-03 20:25

Re: Permanently attacks from the mailservers own public IP

Post by tko2003 » 2013-04-09 18:02

So Grueni,
what is the reason, that all the IPs have been blocked?

Tamer

gruenie wrote:Hello Mattg,
thanx for the reply and the first suggestions.
But I fear nothing of your ideas is matching the problem exactly.

But let me answer step by step:
A webmail-user cannot be the reason, because all these still happens after disabling the completely webmail-system at all.
A terminal-service-user as the reason is also extremely unlikely, because there is just one and that is me.
Also to think about a user in the LAN (including a mailbot in the LAN) is quite unlikely because if than the public IP of the router in the LAN would be shown as the lower(upper IP in the IP-ranges and not the IP of the mailserver itself.

I have already set an IP range for the public IP of the Mailserver itself with a priority of 60 so that the attacks cannot knoc out the mailserver completely. But that doesn't fix the problem, because the hacker can continue with the attack.

What I did not understand completely is when the IP is blocked: only if someone tries to login to the pop- and/or mailserver or also if he try to authenticate to the smtp-server.
I disabled pop and imap from the IP of the mailserver but the attacks continue.

What I forgot to mention is that I have ASSP running in front of the hmailserver at the same machine.

Here is an overview of the IP-ranges as you asked me. I hided the completely IP-adresses. If you need more informations, we should change it by pm.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-09 20:20

tko2003 wrote:So Grueni,
what is the reason, that all the IPs have been blocked?

Tamer
Tamer, since assp is a proxy all connections appear to come from the assp IP address. If hmail's autoban is enabled then ASSP IP get's autobanned if a spammer tries dictionary attack to guess user/pass. That in turn stops all inbound mail since assp can't connect to hmail anymore. Adding a higher priority ip range to hmail for assp IP solves the blocking issue but then renders autoban useless for port 25.. The same thing happens with webmail & why there is a how-to on webmail to add the bypass ip range but there is also a warning to make sure webmail itself has it's own autoban to block such attacks. In gruenie's case ASSP needs to be locked down.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

tko2003
New user
New user
Posts: 6
Joined: 2010-03-03 20:25

Re: Permanently attacks from the mailservers own public IP

Post by tko2003 » 2013-04-09 20:31

Yes,
i have that kind of Issue, there are some old generic mailaccounts from customers, which always run into Autoban, but the customer doen't know anymore where he installed the generic User... .(

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-09 20:41

Hello Bill,

today I finished all the changings in ASSP as you adviced me.
But unfortunately there seems to be a wrong setting, because after doing all the changes no email from outside have been arrived any more.

The sender got the message:
Your message did not reach some or all of the intended recipients.

Sent: Tue, 09 Apr 2013 20:18:11 +0200
Subject: test

The following recipient(s) could not be reached:

info@xxx.de
Error Type: SMTP
Remote server (IP of my Mailserver) issued an error.
hMailServer sent:
Remote server replied: 554 <ASSP.nospam> Service denied for IP 82.xxx.255.115 (harvester), closing transmission channel
After changing back the value of "999" to another one in SMTP session limits (Max Number of AUTHentication Errors ) mails arrived again.
So it seems there is a mistake in the changings in the assp.pl (maybe together with the effect of the changings in eventhandlers.vbs).
I have no idea where exactly the problem is caused.
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-09 20:58

tko2003 wrote:Yes,
i have that kind of Issue, there are some old generic mailaccounts from customers, which always run into Autoban, but the customer doen't know anymore where he installed the generic User... .(
Do you use ASSP?
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-09 21:00

gruenie wrote:Hello Bill,

today I finished all the changings in ASSP as you adviced me.
But unfortunately there seems to be a wrong setting, because after doing all the changes no email from outside have been arrived any more.

The sender got the message:
Your message did not reach some or all of the intended recipients.

Sent: Tue, 09 Apr 2013 20:18:11 +0200
Subject: test

The following recipient(s) could not be reached:

info@xxx.de
Error Type: SMTP
Remote server (IP of my Mailserver) issued an error.
hMailServer sent:
Remote server replied: 554 <ASSP.nospam> Service denied for IP 82.xxx.255.115 (harvester), closing transmission channel
After changing back the value of "999" to another one in SMTP session limits (Max Number of AUTHentication Errors ) mails arrived again.
So it seems there is a mistake in the changings in the assp.pl (maybe together with the effect of the changings in eventhandlers.vbs).
I have no idea where exactly the problem is caused.
So all email gets rejected with that error or that is just 1 example? Are you sure it's not a legit reject? I'll have to search the assp code for that response to see if related.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-09 21:03

OK i found it. The section at line 9672, change that back to:

Code: Select all

    if ($MaxAUTHErrors 
    	&& !$relayok
    	&& !$this->{nopb}

        && !$this->{ispip}
        && !$this->{noprocessing}
        && !$this->{whitelisted}
		&& !$this->{acceptall} 
        && $AUTHErrors{$bip} > $MaxAUTHErrors
       )


I'll go edit my other post so no one else edits it. Sorry about that, as I said it wasn't tested :D
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-09 21:33

Hello Bill,

after changing the code back and restarting ASSP it seems to work.
At least all my emails I sent from 3 different mailaccounts and servers arrived.

Hope that it has been the solution.

Thanx again for your time you spent to solve my problem.
Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-09 21:56

gruenie wrote:Hello Bill,

after changing the code back and restarting ASSP it seems to work.
At least all my emails I sent from 3 different mailaccounts and servers arrived.

Hope that it has been the solution.

Thanx again for your time you spent to solve my problem.
Gruenie
OK cool. Looking at my copy I had not edited that other section either so maybe I found out the hard way too but forgot. lol

Btw don't forget to add your hmail server IP to assp as a noprocessing, whitelist, isp and/or acceptall if you have hmail's route to assp for the assp sub-domain set to auth otherwise hmail will get rejected too.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

tko2003
New user
New user
Posts: 6
Joined: 2010-03-03 20:25

Re: Permanently attacks from the mailservers own public IP

Post by tko2003 » 2013-04-09 22:01

Gruenie,
can i come back to you, for a little conversion, so that we can provide this as a document in German?
I think, this would be needful, as a little tutorial, but it seems, that it would be easier in German, for some people in here?

Tamer

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-09 22:32

@ Bill48105:
Ok, thanx for the advice, I just added the IP to the lists you told me. :-)

@ tko2003:
Are you from Germany too? ;-)
But the language of this board is just english.
Where you want to publish this tutorial in German language?
Are you sure it is necessary because now after discussing all and fixing the little errors in the suggestions of Bill all seems to be clear and it is easy to understand.
Btw. I already started to put all the steps in a German document because I'm sure I will need it again soon when I'm setting up another mailserver for another customer.

Same I did with a tutorial to setup SSL for hMailServer and ASSP, because there is one big mistake in the howto here at this site and some steps are a little bit confusing. :-)
Errare humanum est, sed in errare perseverare diabolicum!

tko2003
New user
New user
Posts: 6
Joined: 2010-03-03 20:25

Re: Permanently attacks from the mailservers own public IP

Post by tko2003 » 2013-04-09 22:40

Yes,
from Germany, Stuttgart/Swabia.
I thought about posting here, so when someone searching here, we can tag it with some keywords.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-09 22:43

Posting in another language is OK as long as it's also there in English. So posting up the info in German to add to what has already been posted in English would be good idea.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-10 09:40

@ tko2003:
Ok, I will publish the German version of it if I'm absolutely sure that it works without any problems.
Btw I'm from Halle (Saxonia-Anhalt).

@ Bill48105:
Hi Bill,
since yesterday hmailserver does not fetch my mails from external gmail- and hotmail-accounts any more; before it worked. Fetching from other external accounts is working.
Could the reason be to find in our changings?
If I'm sending an email from the external gmail-account to the account in hmailserver it arrives there - but fetching it from this account does not work at all.
If I enable POP-Logging there is no entry for fetching from gmail or hotmail.
Do you have any idea?
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
mattg
Moderator
Moderator
Posts: 21115
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Permanently attacks from the mailservers own public IP

Post by mattg » 2013-04-10 09:57

is there POP logging when you manually fetch from these external accounts
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-10 10:15

Hi Bill,
with additional enabling TCP/IP-Logging I got a result:
for Gmail:
"DEBUG" 4984 "2013-04-10 09:47:29.466" "Creating session 241"
"TCPIP" 4984 "2013-04-10 09:47:29.466" "Connecting to pop.gmail.com..."
"TCPIP" 2032 "2013-04-10 09:47:29.560" "TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: asio.ssl error, Remote IP: 173.194.67.109"
"DEBUG" 4984 "2013-04-10 09:47:29.560" "ExternalFetch::~Start"
"DEBUG" 4984 "2013-04-10 09:47:29.575" "Ending session 241"
for hotmail:
"DEBUG" 6104 "2013-04-10 09:51:39.442" "Creating session 252"
"TCPIP" 6104 "2013-04-10 09:51:39.458" "Connecting to pop3.live.com..."
"TCPIP" 172 "2013-04-10 09:51:39.802" "TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: asio.ssl error, Remote IP: 65.55.39.135"
"DEBUG" 6104 "2013-04-10 09:51:39.802" "ExternalFetch::~Start"
"DEBUG" 6104 "2013-04-10 09:51:39.817" "Ending session 252"
So it seems it has to do with SSL, because all the other external accouts are without SSL.

After searching around here in the forum I found this topic:
http://www.hmailserver.com/forum/viewto ... =6&t=23699

So it seems this problem has to do withhmailserver 5.4 and external certificates!
I did not get the discussion there exactly. I thought I have to place the ca.cert for my own certificates as <hash>.0 in the directory X:\hMailServer\Externals\CA???
Errare humanum est, sed in errare perseverare diabolicum!

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-10 10:45

Problem with fetching external ssl-acounts is solved!

There is a wrong description for setting up own SSL-certificates in the following topic:
http://www.hmailserver.com/forum/viewto ... 12&t=22371

There is explained to rename the external ca.cert to <hash_value>.0 and to place that file in the directory <hMailServer>\Externals\CA.

In the topic http://www.hmailserver.com/forum/postin ... =6&t=23699 Martin says that no file have to be there in this folder.

After deleting the file in <hMailServer>\Externals\CA and restarting hamailserver all works fine again (with my own certificate and with external ssl-accounts).

So it seems the explanation in the topic mentioned above is wrong and should be corrected!
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-10 15:36

gruenie. Glad you got the external acct ssl thing sorted. Yeah I wouldn't have figured any changes you made to assp would have anything to do with it. :D Interesting you say there is problem with that ssl post. Suppose whould look into it.

How's the assp auth blocking working
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-10 19:28

Hi Bill,
LOL, no I did not speak about the changes in ASSP which could make any trouble with fetching external ssl-accounts because ASSP is not involved, but we did some changes in hmailserver too. Just wanted to be sure in the moment when I asked.

I had some new entries in hmailservers Auto-ban-table last night, but I'm not sure if it happened maybe when I tried to fix the ssl-problem and I did some changes back.
I will continue to watch at it.
Errare humanum est, sed in errare perseverare diabolicum!

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-15 00:45

@ Bill48105:

Hello Bill,
after some days of testing the new security-settings it seems as it would work.
I did not have any new entries in the autobanned IP-ranges which pointed to the IP of ASSP. There were some new entries but all with outside IPs (probably someone tried to use the port 587 in hMailServer).
And I did not miss any emails from the outside world.
So for now I would say you did a great work! ;-)
Thanx again.

I finished the howto in German language and wanted to add it here as a pdf-file, but it seems not to be allowed?!

@tko2003:

Hallo Tamar,
nachdem ich das Ganze nun einige Tage gründlich getestet habe, sieht es so aus, als würde alles wie gewünscht funktionieren.
Ich habe nun die deutsche Version der Anleitung überarbeitet und hoffe sie hilft Dir und auch einigen anderen, die deutsch sprechen.

Nun wollte ich das Ganze als PDF hier anfügen, aber das scheint nicht erlaubt zu sein...

Gruß Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-15 02:14

Ok cool gruenie. Yeah you will find some spammers try port besides 25. But for those hmail's autoban will actually work like it should to stop them. You can also use scripts to stop attacks on those other ports. For example, if all of your users are in your country & nowhere else you can use geoip to block all connects on those ports for other countries. There is a lot you can do if you so choose.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-19 16:50

Hi Bill,

I have in mind to ugrade from ASSP 1.98 to the current version 2.2.1.

Can you tell me in some words how to upgrade on a windows-server without losing my current settings?
Will your changings of the assp.pl and in hmailservers EventHandlers.vbs also work with this version of ASSP?

Thanx for your help!
Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-19 22:51

gruenie wrote:Hi Bill,

I have in mind to ugrade from ASSP 1.98 to the current version 2.2.1.

Can you tell me in some words how to upgrade on a windows-server without losing my current settings?
Will your changings of the assp.pl and in hmailservers EventHandlers.vbs also work with this version of ASSP?

Thanx for your help!
Gruenie
I like assp 2.x a lot more than 1.x BUT understand it uses a TON more memory. It has more features, seems more robust & stable though.

Upgrading from 1.x to 2.x isn't that difficult (or shouldn't be) but #1 rule is make sure you have a good backup just in case. When I upgraded the biggest hassle was getting perl upgraded to recent enough version & one that supported threading. Then it was a matter of stopping assp, backing entire assp dir/tree, copying 2.x files over 1.x files (overwriting & noting the ones get get overwritten) & starting ASSP in console NOT as service/daemon so I could watch it run. Doing so was a good thing because assp tried upgrading when it saw my old 1.x config files & kept crashing. I eventually narrowed it down to a file in "files" folder (it's where config stuff caches etc are stored). I don't recall which file it was but I found out by moving all files out of there & moving them back a few at a time with assp stopped & seeing if assp would start again. It was a bit of a pain but beyond perl woes & that files issue it wasn't too bad. Once I was able to get assp to run I then ran as daemon/service & reviewed all the settings since all new ones go to default since they didn't exist before. I also reviewed all my existing settings & watched the live status window to see as mail flowed & did some testing.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-20 07:44

Hello Bill,

thanx for the explanation.
But that sounds far frm being easy and without problems. I think its a better idea to do a fresh and clean installation of ASSP V2.

But the other question I have was:
Will your changings of the assp.pl and in hmailservers EventHandlers.vbs to avoid attacks also work with ASSP V2?

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-20 18:21

Not sure how you figure fresh install is easier than upgrade but that's your call.
Yes i use my changes in v2 but they are different line #'s & possibly slightly different. You can search for them & modify.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-20 20:32

Hi Bill,

once more a question about the changings in the assp.pl

In the old version 1.99 you adviced the following:
1. In Line 12428:
Code:
if ($MaxAUTHErrors
........
&& $AUTHErrors{$ip} > $MaxAUTHErrors) {

becomes Code:
if ($MaxAUTHErrors
........
&& ($AUTHErrors{$ip} > $MaxAUTHErrors || $MaxAUTHErrors >= 999)) {

2. In line 17685
there is sub AUTHErrorsOK { which might need to be edited.
Code:
return 1 if $AUTHErrors{$ip}++ <= $MaxAUTHErrors;

becomes Code:
return 1 if ($MaxAUTHErrors < 999 && ($AUTHErrors{$ip}++ <= $MaxAUTHErrors));
In the new Version 2.2.1. I found the first changing in Line 16201:

Code: Select all

CODE:
    if ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors) {

becomes CODE:
    if ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors || $MaxAUTHErrors >= 999) {
That should be right?!

But for the 2. change I'm not sure because the code is different:
I found it at line 22756:

Code: Select all

The CODE is:
   sub AUTHErrorsOK {
       my $fh = shift;
       return 1 unless $MaxAUTHErrors;
       return AUTHErrorsOK_Run($fh);
   }
How should I change this?

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-20 21:50

My notes on 2.x say there is only 1 place to change it but I didn't note the line # just to find Find:
if ($MaxAUTHErrors && $AUTHErrors{$ip} >= $MaxAUTHErrors) {
So I'd guess you have the right one but you can always make the change & test.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-20 22:33

If that code is the right one to change, I think I got it, but for the other part I have no idea how to change and set it because its completely different from the code in the version 1,98/1.99.

The code in version 1.98 has been:

Code: Select all

sub AUTHErrorsOK {
    my $fh = shift;
    return 1 unless $MaxAUTHErrors;
    my $this = $Con{$fh};
    return 1 if ($this->{relayok});
    return 1 if ($this->{whitelisted});
    return 1 if ($this->{noprocessing} == 1);
    return 1 if ($this->{ispip});
    return 1 if matchIP($this->{ip},'noMaxAUTHErrorIPs',0,1);
    my $ip = $this->{ip};
    $ip = &ipNetwork( $ip, $PenaltyUseNetblocks);
    
    return 1 if $AUTHErrors{$ip}++ <= $MaxAUTHErrors;
    $this->{messagereason}="too much AUTH errors from $ip";
    pbAdd( $fh, $this->{ip}, 'autValencePB', "AUTHErrors" ) if ! matchIP($ip,'noPB',0,1);
    $AUTHErrors{$ip}++;
    return 0;
}

and in version 2.2.1 was:
The CODE is:

Code: Select all

   sub AUTHErrorsOK {
       my $fh = shift;
       return 1 unless $MaxAUTHErrors;
       return AUTHErrorsOK_Run($fh);
   }
I have no idea what to change?!

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-21 05:38

As I said I think you only change 1 place in 2.x
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-21 08:06

Ok Bill, thanx again for your help.

From your post before I thought you haven't been sure, but now its clear.

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-21 16:10

gruenie wrote:Ok Bill, thanx again for your help.

From your post before I thought you haven't been sure, but now its clear.

Gruenie
Based in my recollection of 2.x (ie- notes) and fact that 1.x had multiple places I wasn't sure why there would be a difference except fact that 2.x must be different enough from 1.x besides threading. Based on my tests changing that 1 area in 2.x blocks AUTH from outside. You can test yours & know for sure. :)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-21 16:31

Thanx again for your time and help, dear Bill!
Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: Permanently attacks from the mailservers own public IP

Post by gruenie » 2013-04-26 12:04

Hi Bill,

again me with another question:
Since we are sending emails directly through hMailServer and not longer through ASSP because of the changings you are told me we miss an important feature of ASSP.
Normally ASSP automatically marks all email-addresses as "whitelisted" which we are sending mails too (through ASSP).
Do you have any ideas for a workaround?

And by the way:
Please have a look to my following post regarding upgrading to version 5.4 and changing the pathes:
http://www.hmailserver.com/forum/viewto ... 39#p148839

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2013-04-26 17:23

To me that is an awful feature but to each his own. You'd have a few options but the cleanest would be to modify assp setup or script to allow your users to send by IP or special port. IOW you could whitelist them if that have static IP or if needed a range understanding the risks.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Permanently attacks from the mailservers own public IP

Post by LesD » 2014-01-23 22:33

ASSP allows for the definition of two sets of incoming ports with matching output ports.

Wouldn't the following be a simple solution to differentiate between public mail and private?

ASSP: incoming: port 25 forwarded to hMS: port 125

ASSP: incoming: port 60025 forwarded to hMS: port 60125

In hMS script you block AUTH on port 125 only.

Local users, and privileged public users, would use 60025 and thereby bypass the AUTH blocking and still benefit from the ASSP whitelisting.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2014-01-24 00:26

LesD wrote:ASSP allows for the definition of two sets of incoming ports with matching output ports.

Wouldn't the following be a simple solution to differentiate between public mail and private?

ASSP: incoming: port 25 forwarded to hMS: port 125

ASSP: incoming: port 60025 forwarded to hMS: port 60125

In hMS script you block AUTH on port 125 only.

Local users, and privileged public users, would use 60025 and thereby bypass the AUTH blocking and still benefit from the ASSP whitelisting.
Indeed that should work well for someone who needs that feature.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Zipi
New user
New user
Posts: 4
Joined: 2014-04-22 18:13

Re: Permanently attacks from the mailservers own public IP

Post by Zipi » 2014-04-22 18:25

I too have been battling this for a while now, glad I found this post.
My 1st (and easiest?) workaround was to set Assp maxAuthErrors lower than hmailserver's :),
which seemed the easiest to me to overcome the Autoban issues with a single config change,
but still gives 1 shot for the hack attempt.

But what Id like to do is either disable via assp config all internet ips ability to do Auth,
or something like LesD suggested :
LesD wrote:ASSP allows for the definition of two sets of incoming ports with matching output ports.

Wouldn't the following be a simple solution to differentiate between public mail and private?

ASSP: incoming: port 25 forwarded to hMS: port 125

ASSP: incoming: port 60025 forwarded to hMS: port 60125

In hMS script you block AUTH on port 125 only.

Local users, and privileged public users, would use 60025 and thereby bypass the AUTH blocking and still benefit from the ASSP whitelisting.
or both.

1. So my question is how do I "In hMS script you block AUTH on port 125 only."
2. how do I configure Assp to not accept login attempts from the internet at all?

Thanks
Last edited by Zipi on 2014-04-22 18:33, edited 1 time in total.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2014-04-22 18:32

Zipi wrote:I too have been battling this for a while now, glad I found this post.
My 1st (and easiest?) workaround was to set Assp maxAuthErrors lower then hmailserver :),
which seemed the easiest to me to overcome the Autoban issues with a single config change,
but still gives 1 shot for the hack attempt.

But what Id like to do is either disable via assp config all internet ips ability to do Auth,
or something like LesD suggested :
LesD wrote:ASSP allows for the definition of two sets of incoming ports with matching output ports.

Wouldn't the following be a simple solution to differentiate between public mail and private?

ASSP: incoming: port 25 forwarded to hMS: port 125

ASSP: incoming: port 60025 forwarded to hMS: port 60125

In hMS script you block AUTH on port 125 only.

Local users, and privileged public users, would use 60025 and thereby bypass the AUTH blocking and still benefit from the ASSP whitelisting.
or both.

1. So my question is how do I "In hMS script you block AUTH on port 125 only."
2. how do I configure Assp to not accept login attempts from the internet at all?

Thanks

If you scroll back far enough everything is there from the hmail script to block or allow AUTH on certain ports & my assp changes to not allow AUTH at all thru assp if that is what you want. If your users are on outside & you want them to send thru assp you'll find that requires a much more complicated setup though.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Zipi
New user
New user
Posts: 4
Joined: 2014-04-22 18:13

Re: Permanently attacks from the mailservers own public IP

Post by Zipi » 2014-04-22 18:42

Thanks you, I will read again guess I missed it,
but was wondering if i can do it with no code changes, via config only,
Assp does have some settings regarding that, but Im afraid I dont understand them completely,
This
Clip_12.png
Clip_12.png (8.62 KiB) Viewed 23691 times
And then these
Clip_13.png
Clip_13.png (7.18 KiB) Viewed 23691 times
Any ideas if one of these can be used for it?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2014-04-22 20:56

I'll check my assp but maybe those are new. Yeah those should work if they do what they say.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2014-04-22 21:02

Zipi, I checked my ASSP & the 1st one you show exists & I have it set to 25 but if I recall it did not work & I still had dictionary attacks thru ASSP. Maybe they fixed it I'd need to upgrade to find out. The other options you show are not in the version of assp I have so they must be new. Perhaps they fixed the 1st setting when they added the others.

As far as if those settings would work for you, that'd be up to you. I'd at least read each to understand what they are supposed to do then do testing with & without set to see if they work and more importantly if they work as expected.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Zipi
New user
New user
Posts: 4
Joined: 2014-04-22 18:13

Re: Permanently attacks from the mailservers own public IP

Post by Zipi » 2014-04-22 21:12

Thank you, thats the problem I dont know if these work or not yet, and hardly understand WHAT they do, as I did try the 1st one and it didnt work for me too!

This is the version Im using here, Its the newest I downloaded yesterday to see if I can find settings for it, and found these,
Now there appears to be a problem with sourceforge, to download this latest version 1.9.9(14124) use the cvs link:
http://assp.cvs.sourceforge.net/viewvc/assp/asspV1/

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Permanently attacks from the mailservers own public IP

Post by Bill48105 » 2014-04-22 22:54

Zipi wrote:Thank you, thats the problem I dont know if these work or not yet, and hardly understand WHAT they do, as I did try the 1st one and it didnt work for me too!

This is the version Im using here, Its the newest I downloaded yesterday to see if I can find settings for it, and found these,
Now there appears to be a problem with sourceforge, to download this latest version 1.9.9(14124) use the cvs link:
http://assp.cvs.sourceforge.net/viewvc/assp/asspV1/
Ok I'm on asspv2 for multi-threading. The 2 assp's don't always have the same options.

Based on what it SAYS it should block AUTH attempts but in my testing it still let AUTH by. (It's obvious when you get autobans for the ASSP IP in hmail but can search hmail logs & see the login attempts from ASSP IP). Either way I've used ASSP for years now & since i made my mod a long time ago & I know it works I just stick to it. At some point ASSP might fix or maybe I didn't configure right but I just use what I know works. :)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Post Reply